Configuring J2SE 5.0 PKCS#11 Providers | Sun Microsystems 820433510

Using Hardware Crypto Accelerator With Enterprise Server

Working With Private Keys and Certificates

Use certutil to create self-signed certificates and to import or export certificates. To import or export private keys, use the pk12util utility. For more details, see “Using Network Security Services (NSS) Tools” on page 116

Caution – In Enterprise Server, do not modify the NSS password directly with the NSS tools certutil and modutil. If you do so, security data in Enterprise Server might be corrupted.

Configuring J2SE 5.0 PKCS#11 Providers

Enterprise Server relies on J2SE PKCS#11 providers to access keys and certificates that are located in PKCS#11 tokens at runtime. By default, Enterprise Server configures a J2SE PKCS#11 provider for the NSS soft token. This section describes how to override the default configuration for the J2SE PKCS#11 provider.

In Enterprise Server, the following default PKCS#11 configuration parameters are generated for each PKCS#11 token.

■Configuration for the default NSS soft token:

name=internal

library=${com.sun.enterprise.nss.softokenLib} nssArgs="configdir=’${com.sun.appserv.nss.db}’

certPrefix=’’ keyPrefix=’’ secmod=’secmod.db’" slot=2

omitInitialize = true

■Configuration for the SCA 1000 hardware accelerator:

name=HW1000

library=/opt/SUNWconn/crypto/lib/libpkcs11.so

slotListIndex=0

omitInitialize=true

These configurations conform to the syntax described in the Java PKCS#11 Reference Guide.

Note – The name parameter has no requirements other than that it must be unique. Certain older versions of J2SE 5.0 support alphanumeric characters only.

You can override the default configuration parameters by creating a custom configuration file. For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see http://www.mozilla.org/projects/security/pki/nss/tools.

124	Sun GlassFish Enterprise Server 2.1 Administration Guide • December 2008

Image 124

Sun Microsystems 820433510 manual Configuring J2SE 5.0 PKCS#11 Providers, Working With Private Keys and Certificates

Contents

Sun GlassFish Enterprise Server 2.1 Administration Guide Sun Microsystems, Inc Network Circle Santa Clara, CA 090122@21808 Contents Java Business Integration Jdbc Resources Accessing Remote Servers Configuring JMS Provider PropertiesIBM Informix Type 4 Driver CloudScape 5.1 Type 4 Driver Foreign JMS Providers Configuring Security Web and EJB Containers 127 141 149Virtual Servers 149 Http Listeners 150 153 What is the ORB? 162 Iiop Listeners 158161 163 About Management Rules 215 Configuring Management Rules 216 Tuning the JVM Settings 219215 219 Asadmin Utility Profiler and SSL Commands231 244Page Figures Page Tables JVM Statistics for Java SE Runtime 189 Remote Commands Required Options 234 Server Lifecycle Commands 237List and Status Commands 238 Deployment Commands 239 Examples Page Sun GlassFish Enterprise Server Documentation Set PrefaceTable P-1Books in the Enterprise Server Documentation Set Default Paths and File Names Table P-2Default Paths and File Names Symbol Conventions Symbol ConventionsTypographic Conventions Table P-3Typographic Conventions Third-Party Web Site References Documentation, Support, and TrainingSun Welcomes Your Comments Enterprise Server Overview Enterprise Server Overview and ConceptsEnterprise Server Overview This section contains the following topics Tools for Administration Admin ConsoleFor example Http//hostnameport To list the commands available within asadmin Command-line Interface asadmin UtilityJConsole Enterprise Server Concepts Domain Administration Server DASDomain 1Features Available for Each Profile Usage Profiles Cluster Features Available for Each ProfileNode Agent Server Instance 1Enterprise Server Instance Ports in the Enterprise Server 2Enterprise Server Listeners that Use Ports Creating a Domain Basic Enterprise Server CommandsHttp//hostname5000 Listing Domains Deleting a DomainStarting the Domain Starting the Default Domain on Windows Stopping the Default Domain on WindowsStopping the Domain Restarting the Domain Starting a Cluster Stopping a ClusterCreating a Node Agent Starting a Node Agent Stopping a Node Agent Starting an InstanceStopping an Instance Restarting an Instance Recreating the Domain Administration Server To migrate the DAS Change Page Service Engines Java Business IntegrationJBI Environment JBI Components Binding Components JBI Component Loggers Service Assemblies Shared Libraries JBI Descriptors Jdbc Resources Jdbc Resources Jdbc Connection Pools How Jdbc Resources and Connection Pools Work Together Setting Up Database Access Working with Jdbc Connection Pools Creating a Jdbc Connection Pool Click OK Change connection validation settings Editing a Jdbc Connection Pool By calling the con.getAutoCommit and con.getMetaData methods Editing Jdbc Connection Pool Advanced Attributes Creation Retry Attempts is greater than Configurations for Specific Jdbc Drivers Configurations for Specific Jdbc Drivers Java DB Type 4 Driver DataSource Classname Specify one of the following Sun GlassFish Jdbc Driver for DB2 Databases DataSource Classname com.sun.sql.jdbcx.db2.DB2DataSource Sun GlassFish Jdbc Driver for Microsoft SQL Server Databases IBM DB2 8.1 Type 2 Driver DataSource Classname com.ibm.db2.jcc.DB2SimpleDataSourceDeferPrepares Set to false DataSource ClassnameSpecify one of the following Inet Oraxo Jdbc Driver for Oracle 8.1.7 and 9.x Databases MySQL Type 4 DriverCom.mysql.jdbc.jdbc2.optional.MysqlDataSource Inet Merlia Jdbc Driver for Microsoft SQL Server Databases DataSource Classname com.inet.ora.OraDataSourceDataSource Classname com.inet.tds.TdsDataSource Jdbcinetoralocalhost1521payrolldb Inet Sybelux Jdbc Driver for Sybase Databases DataSource Classname com.inet.syb.SybDataSource Jdbcoraclethin@localhost1521customerdb OCI Oracle Type 2 Driver for Oracle 8.1.7 DatabasesJdbcoracleoci@localhost1521customerdb CloudScape 5.1 Type 4 Driver IBM Informix Type 4 DriverDataSource Classname com.ibm.db2.jcc.DB2DataSource Page Configuring Java Message Service Resources JMS Resources Relationship Between JMS Resources and Connector Resources JMS Destination Resources JMS Connection FactoriesJMS Physical Destinations Configuring JMS Provider Properties Accessing Remote Servers Foreign JMS Providers Configuring the Generic Resource Adapter Resource Adapter Properties False Foreign JMS Providers ManagedConnectionFactory Properties Administered Object Resource Properties Activation Spec Properties Configuring Java Message Service Resources Message causes a runtime exception Configuring JavaMail Resources Creating a JavaMail Session Creating a JavaMail Session Java EE Naming Services Jndi Resources Naming References and Binding Information Using External Jndi Repositories and Resources Using Custom Resources1JNDI Lookups and Their Associated References Using External Jndi Repositories and Resources Connector Resources An Overview of Connectors To Create a Connector Connection Pool Managing Connector Connection PoolsSpecify this name when creating a connector resource To Edit a Connector Connection Pool Create-connector-connection-pool Same transaction level as that specified in resource To Edit Connector Connection Pool Advanced Attributes Pool. Default value is false To Delete a Connector Connection Pool To create security maps for connector connection poolsTo Edit Security Maps for Connector Connection Pools To Edit Connection Pool Properties Managing Connector Resources To Set Up EIS AccessTo Create a Connector Resource Delete-connector-connection-pool To Delete a Connector Resource To Edit a Connector ResourceCreate-connector-resource To Configure the Connector Service Managing Administered Object ResourcesDelete-connector-resource To Create an Administered Object Resource To Edit an Administered Object Resource To Delete an Administered Object ResourceCreate-admin-object Delete-admin-object Web and EJB Containers SIP Servlet Container Editing SIP Container General Attributes Editing the Properties of the SIP ContainerEditing SIP Container Session Properties EJB Container Web ContainerEditing SIP Container Session Manager Properties Page Configuring Security Understanding Application and System Security Tools for Managing Security Managing Security of Passwords Encrypting a Password in the domain.xml FileAsadmin create-password-alias --user admin alias-name Asadmin create-password-alias --user admin jms-password Protecting Files with Encoded Passwords Changing the Master PasswordRestart the Enterprise Server for the relevant domain Restart the Enterprise Server Changing the Admin Password Working with the Master Password and Keystores Authenticating Entities About Authentication and Authorization1Enterprise Server Authentication Methods Specifying Jacc Providers Authorizing UsersVerifying Single Sign-On Configuring Message Security Understanding Users, Groups, Roles, and Realms Users Groups Roles Realms To Configure a Jdbc Realm for a Web, EJB Application Create a Jdbc realm About Digital Certificates Introduction to Certificates and SSLFollowing topics are discussed in this section About Secure Sockets Layer About Certificate Chains Using Name-based Virtual Hosts About Ciphers About Firewalls About Certificate Files Using the keytool Utility Using Java Secure Socket Extension Jsse ToolsChanging the Location of Certificate Files Display certificate information from a keystore of type JKS Delete a certificate from a keystore of type JKS Generating a Certificate Using thekeytool Utility Deleting a Certificate Using thekeytool Utility Certificate was added to keystore Saving cacerts.jks Storepass password Using Network Security Services NSS ToolsKeytool -delete Using the certutil Utility Verify the certificates generated in the previous bulletDisplay available certificates Certutil -L -d $CERTDBDIR Delete a certificate from an NSS certificate database Move a certificate from an NSS database to JKS format Modutil -list -dbdir $admin.domain.dir/$admin.domain/config Add a new PKCS11 module or tokenDelete a PKCS11 module from an NSS store List available token modules in an NSS store Using Hardware Crypto Accelerator With Enterprise Server About Configuring Hardware Crypto Accelerators Standard output will look similar to the following Configuring PKCS#11 TokensModutil -list -dbdir Asnssdb Managing Keys And Certificates This section describes the following topics Listing Keys and Certificates Standard output will be similar to the following Configuration for the SCA 1000 hardware accelerator Configuring J2SE 5.0 PKCS#11 ProvidersWorking With Private Keys and Certificates Property name=mytoken value=&InstallDir/mypkcs11.cfg Name=HW1000 Library=/opt/SUNWconn/crypto/lib/libpkcs11.so 126 Configuring Message Security Overview of Message Security Understanding Message Security in the Enterprise Server System AdministratorAssigning Message Security Responsibilities Application Developer Application DeployerAbout Username Tokens About Encryption About Digital SignaturesAbout Message Protection Policies Glossary of Message Security Terminology Response Policy Securing a Web Service Configuring Application-Specific Web Services Security Configuring the Enterprise Server for Message SecuritySecuring the Sample Application Actions of Request and Response Policy Configurations Configuring a JCE Provider Configuring Other Security FacilitiesAfter You Finish Save and close the file Security.provider.1=sun.security.provider.Sun Message Security Setup Enabling Providers for Message Security To specify the default server provider Configuring the Message Security ProviderTo specify the default client provider Creating a Message Security Provider Enabling Message Security for Application Clients Further Information Response-policy What is the Diagnostic Framework? Configuring the Diagnostic ServiceDiagnostic Service Framework Generating a Diagnostic Report Transactions What is a Transaction?About Transactions What is a Transaction? on Configuring Transactions on Transactions in Java EE Technology Admin Console Tasks for Transactions Configuring TransactionsThis section explains how to configure transaction settings Workarounds for Specific Databases To set a transaction timeout value Set any needed properties To set the location of the transaction logs Default value is To set the keypoint interval Configuring the Http Service Virtual Servers Http Listeners Configuring the Http Service 151 152 Managing Web Services Overview of Web Services Web Services Standards Java EE Web Service Standards Deploying and Testing Web Services Deploying Web Services Using Web Services Registries Viewing Deployed Web ServicesTesting Web Services Web Services Security Publishing a Web Service to a Registry Adding a Registry Monitoring Web Services Transforming Messages with Xslt Filters Viewing Web Service Statistics Monitoring Web Service Messages 160 Configuring the Object Request Broker An Overview of the Object Request Broker Configuring the ORB What is the ORB?Managing Iiop Listeners Iiop Listeners Thread Pools Working with Thread Pools About Logging Configuring LoggingLog Records Logger Namespace Hierarchy 1Enterprise Server Logger Namespaces Enterprise Server Logger Namespaces JTS Configuring General Logging Settings Configuring LoggingConfiguring Log Levels 171000.000 Viewing Server LogsDetails ThreadID=13 About Monitoring Monitoring Components and ServicesMonitoring in the Enterprise Server Overview of Monitoring About the Tree Structure of Monitorable ObjectsApplications Tree Following sections describe these sub-trees Http Service Tree JMS Service Tree Connector Service TreeResources Tree About Statistics for Monitored Components and Services ORB TreeThread Pool Tree Orb Connection-managers Connection-manager-1 EJB Container Statistics 1EJB Statistics 2EJB Method Statistics 3EJB Session Store Statistics EJB Session Store Statistics 4EJB Pool Statistics 5EJB Cache Statistics Web Container Statistics 6Timer Statistics7Web Container Servlet Statistics Http Service Statistics 8Web Container Web Module Statistics 9HTTP Service Statistics Developer Profile Jdbc Connection Pools Statistics 10JDBC Connection Pool Statistics JMS/Connector Service Statistics 11Connector Connection Pool Statistics Statistics for Connection Managers in an ORB 12Connector Work Management Statistics13Connection Manager in an ORB Statistics Transaction Service Statistics 15Transaction Service StatisticsThread Pools Statistics 14Thread Pool Statistics 15 Transaction Service Statistics Java Virtual Machine JVM StatisticsJVM Statistics 17JVM Statistics for Java SE- Class Loading 19JVM Statistics for Java SE- Garbage Collection 18JVM Statistics for Java SE- Compilation20JVM Statistics for Java SE- Memory 21JVM Statistics for Java SE Operating System Following table22JVM Statistics for Java SE Runtime 23JVM Statistics for Java SE Thread Info Enabling and Disabling Monitoring 24JVM Statistics for Java SE Threads To Configure Monitoring Levels Using asadmin Configuring Monitoring Levels Using the Admin ConsoleReturns Viewing Monitoring Data in the Admin Console Viewing Monitoring Data With the asadmin ToolTo Use the asadmin monitor Command to View Monitoring Data Viewing Monitoring Data 531628032 45940736 Command returns the following attributes and data Asadmin get --user adminuser --monitor server.jvmServer.http-service Understanding and Specifying Dotted Names Examples of the list and get Commands Server.applications.petstore Examples for the list --user admin-user --monitor Command Examples for the get --user admin-user --monitor CommandAsadmin list --user admin-user--monitor server Asadmin list --user admin-user--monitor server.applications Asadmin get --user admin-user--monitor server.jvm Attempt to get all attributes from a Java EE application Asadmin get --user admin-user--monitor server.jvm.badname To Use the PetStore ExampleAttempt to get a specific attribute from a subsystem Returns output will be similar to Asadmin list -m server.applications.petstore.signon-ejbjar Server.http-service Server.resources Server.thread-poolsReturns with dotted name removed for space considerations Monitoring Components and Services 201 Expected Output for list and get Commands at All Levels Top Level Applications Level Application has been deployed. It is not applicable if a Monitoring Components and Services 205 List -m Server.applications.app1 28HTTP-Service Level 29Thread-Pools Level Resources Level 31Transaction-Service LevelORB Level Level Using JConsoleJVM Level Securing JConsole to Application Server Connection Prerequisites for Connecting JConsole to Application Server Connecting JConsole to Application Server Connecting JConsole Securely to Application Server Monitoring Components and Services 213 214 Configuring Management Rules About Management Rules Configuring Management Rules Configuring Management Rules 217 218 Java Virtual Machine and Advanced Settings Tuning the JVM Settings Configuring Advanced Settings Restarting Automatically on Solaris Automatically Restarting a Domain or Node AgentThis Appendix contains the following topics Restarting Automatically on Solaris Creating a Windows Service Restarting Automatically on the Microsoft Windows Platform Start= auto DisplayName= display-name Security for Automatic Restarts Process name=as-service-name Sysproperty key=-XrsJvm-options-Xrs/jvm-options 226 Dotted Name Attributes for domain.xml Top Level Elements Top Level Elements Elements Not Aliased Elements Not Aliased 230 Asadmin Utility Asadmin Utility Appendix C The asadmin Utility 233 Common Options for Remote Commands Table C-1Remote Commands Required Options Multimode Command Prefix followed by the password name in uppercase letters Get, Set, and List Commands Server Lifecycle Commands Table C-2Server Lifecycle Commands Table C-2 Server Lifecycle Commands List and Status CommandsTable C-3List and Status Commands Deployment Commands Table C-4Deployment Commands Version Commands Message Queue Administration CommandsTable C-5Version Commands Table C-6Message Queue Commands Resource Management Commands Table C-7Resource Management Commands Table C-7 Resource Management Commands Configuration Commands Http and Iiop Listener CommandsLifecycle and Audit Module Commands Table C-8IIOP Listener Commands Profiler and SSL Commands JVM Options and Virtual Server CommandsTable C-9Lifecycle Module Commands Table C-10Profiler and SSL Commands Threadpool and Auth-Realm Commands Transaction and Timer CommandsTable C-11JVM Options and Virtual Server Commands Table C-12Threadpool and Auth-Realm Commands User Management Commands Registry CommandsTable C-13Transaction Commands Table C-14Transaction Commands Database Commands Rules and Monitoring CommandsTable C-16Rules and Monitoring Commands Diagnostic and Logging Commands Web Service CommandsTable C-17Database Commands Table C-18Diagnostic and Logging Commands Security Service Commands Table C-20Security Commands Password Commands Table C-21Password Commands Custom MBean Commands Verify CommandService Command Property Command Table C-25Property Command Index ACC JMS Logging ORB 256